b' DEPARTMENT OF HOMELAND SECURITY\n\n Of\xef\xac\x81ce of Inspector General\n\n\n\n   Progress and Challenges in Securing\n         the Nation\xe2\x80\x99s Cyberspace\n\n\n\n\n Of\xef\xac\x81ce of Information Technology\nOIG-04-29                    July 2004\n\x0c\x0c                                                                      Of\xef\xac\x81ce of Inspector General\n\n                                                                      U.S. Department of Homeland Security\n                                                                      Washington, DC 20528\n\n\n\n\n                                              Preface\n\nThe Department of Homeland Security (DHS) Of\xef\xac\x81ce of Inspector General (OIG) was established\nby the Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector\nGeneral Act of 1978. This is one of a series of audit, inspection, investigative, and special reports\nprepared by the OIG as part of its DHS oversight responsibility to identify and prevent fraud,\nwaste, abuse, and mismanagement.\n\nThis report assesses the strengths and weaknesses of the program or operation under review. It\nis based on interviews with employees and of\xef\xac\x81cials of relevant agencies and institutions, direct\nobservations, and a review of applicable documents.\n\nThe recommendations herein have been developed to the best knowledge available to the OIG,\nand have been discussed in draft with those responsible for implementation. It is my hope that\nthis report will result in more effective, ef\xef\xac\x81cient, and economical operations. I express my\nappreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                              Clark Kent Ervin\n                                              Inspector General\n\x0c\x0c                                                                                                                              Contents\n\n  Introduction ......................................................................................................................................3\n\n  Results in Brief .............................................................................................................................. 3\n\n  Background ......................................................................................................................................5\n\n  Progress         ........................................................................................................................................8\n\n  Challenges\xe2\x80\xa6 ................................................................................................................................ 10\n\n  Recommendations\xe2\x80\xa6 .................................................................................................................... 15\n\n  Management Comments and OIG Evaluation ............................................................................. 16\n\nAppendices\n\n  Appendix A:                 Purpose, Scope, and Methodology ................................................................. 21\n  Appendix B:                 Management\xe2\x80\x99s Response ................................................................................ 22\n  Appendix C:                 Major Contributors to this Report ................................................................... 28\n  Appendix D:                 Report Distribution ......................................................................................... 29\n\n\nAbbreviations\n\n  CERT\xc2\xae/CC                    CERT\xc2\xae Coordination Center\n  CISO                        Chief Information Security Of\xef\xac\x81cer\n  DHS                         Department of Homeland Security\n  FedCIRC                     Federal Computer Incident Response Center\n  FTE                         Full-Time Equivalent\n  GFIRST                      Government Forum of Incident Response and Security Teams\n  HSOC                        Homeland Security Operations Center\n  IAIP                        Information Analysis and Infrastructure Protection\n  IIMG                        Interagency Incident Management Group\n  IT                          Information Technology\n  NCSD                        National Cyber Security Division\n  OIG                         Of\xef\xac\x81ce of Inspector General\n  US-CERT                     United States Computer Emergency Readiness Team\n\n\n\n                           Progress and Challenges in Securing the Nation\xe2\x80\x99s Cyberspace                                                                  Page 1\n\x0cPage 2   Progress and Challenges in Securing the Nation\xe2\x80\x99s Cyberspace\n\x0cOIG\nDepartment of Homeland Security\nOf\xef\xac\x81ce of Inspector General\n\n\n    Introduction\n                                  The speed, virulence, and maliciousness of cyber attacks have increased\n                                  dramatically in recent years. More and more people are capable of launching\n                                  signi\xef\xac\x81cant assaults against the nation\xe2\x80\x99s infrastructure and cyberspace because of\n                                  the increasing sophistication of computer attack tools. As noted by the CERT\xc2\xae\n                                  Coordination Center (CERT\xc2\xae/CC), identi\xef\xac\x81ed computer security vulnerabilities\n                                  that an attacker can exploit have increased dramatically, with the number of\n                                  vulnerabilities quadrupling from 1,090 in 2000 to 4,129 in 2002. Industry experts\n                                  agree that cyber terrorism, in which computer systems become targets, is one of\n                                  the nation\xe2\x80\x99s top \xef\xac\x81ve security threats and will likely remain so for years to come.1\n\n                                  Due to the signi\xef\xac\x81cance of cyber threats on the United States and their possible\n                                  consequences, the security of cyber systems is one of the Department of\n                                  Homeland Security\xe2\x80\x99s (DHS) highest priorities. The objectives of our audit were\n                                  to determine whether DHS\xe2\x80\x99 efforts to implement the White House\xe2\x80\x99s cyber strategy\n                                  - The National Strategy to Secure Cyberspace2 - and to protect the nation\xe2\x80\x99s critical\n                                  infrastructure from a major cyber terrorist attack are adequate and effective.\n                                  We performed our work at the National Cyber Security Division (NCSD) from\n                                  December 2003 through February 2004. See Appendix A for a discussion of our\n                                  purpose, scope, and methodology.\n\n    Results in Brief\n                                  DHS has begun to implement the actions and recommendations detailed in The\n                                  National Strategy to Secure Cyberspace. With the establishment of NCSD in June\n                                  2003, DHS made notable progress in protecting the nation\xe2\x80\x99s critical infrastructure\n                                  from cyber vulnerabilities, threats, and attacks. Major accomplishments include:\n\n                                        \xe2\x80\xa2     Creation of the United States Computer Emergency Readiness Team\n                                              (US-CERT). Formed as a partnership between NCSD and the private\n\n    1\n        SC Magazine, December 2002.\n    2\n        The White House issued The National Strategy to Secure Cyberspace in February 2003.\n\n\n\n\n                                Progress and Challenges in Securing the Nation\xe2\x80\x99s Cyberspace                    Page 3\n\x0c                                         sector, US-CERT serves as the national focal point for computer security\n                                         efforts.\n\n                                   \xe2\x80\xa2     Establishment of the National Cyber Alert System, managed by\n                                         US-CERT, as the means to relay cyber security information to all\n                                         computer users.\n\n                                   \xe2\x80\xa2     Participation by NCSD in Dartmouth College\xe2\x80\x99s cyber focused\n                                         communications and coordination exercise (LiveWire).3\n\n                                   \xe2\x80\xa2     Sponsorship by NCSD of the National Cyber Security Summit to\n                                         promote information sharing and partnerships with the private sector in\n                                         securing cyberspace.4\n\n                                   \xe2\x80\xa2     Formation of three new organizations to strengthen federal information\n                                         technology (IT) defenses and coordinate responses to system threats.5\n\n                             Though NCSD has undertaken some major initiatives, it still faces a number of\n                             challenges to address long-term cyber threats and vulnerabilities to the nation\xe2\x80\x99s\n                             critical infrastructure. Speci\xef\xac\x81cally, NCSD has not:\n\n                                   \xe2\x80\xa2     Prioritized its initiatives to address the recommendations in The National\n                                         Strategy to Secure Cyberspace.\n\n                                   \xe2\x80\xa2     Identi\xef\xac\x81ed the resources needed to ensure that it can identify, analyze, and\n                                         reduce long-term cyber threats and vulnerabilities.\n\n                                   \xe2\x80\xa2     Developed strategic implementation plans, including performance\n                                         measures and milestones, focusing on the division\xe2\x80\x99s priorities, initiatives,\n                                         and tasks.\n\n                                   \xe2\x80\xa2     Instituted a formal communications process within DHS, as well as the\n                                         public, private, and international sectors.\n\n\n3\n  Conducted in October 2003, LiveWire was a national communications and coordination exercise designed to test current preparedness,\nbusiness processes, and communications paths by imitating a variety of cyber attacks and demonstrating interdependencies between the\ncyber infrastructure and other critical infrastructures.\n4\n  As a result of the summit, \xef\xac\x81ve task forces, sponsored by the private sector, were formed and reported their \xef\xac\x81ndings and recommendations\non key security issues facing the United States.\n5\n  The three organizations formed were the Government Forum of Incident Response and Security Teams (GFIRST), the Federal Chief\nInformation Security Of\xef\xac\x81cers (CISO) Forum, and the Cyber Interagency Incident Management Group (IIMG).\n\n\nPage 4                                        Progress and Challenges in Securing the Nation\xe2\x80\x99s Cyberspace\n\x0c                    \xe2\x80\xa2     Initiated and implemented a process to oversee and coordinate efforts\n                          to develop best practices and create cyber security policies with other\n                          government agencies and the private sector.\n\n                    \xe2\x80\xa2     Reviewed or updated the actions and recommendations in The National\n                          Strategy to Secure Cyberspace.\n\n               NCSD must address these issues to reduce the risk that the critical infrastructure\n               may fail due to cyber attacks.\n\n               In response to our draft report, IAIP agreed with and has already taken steps to\n               implement each of the recommendations. However, IAIP also said that some\n               of our recommendations have been rendered obsolete or overcome by new\n               circumstances. Based on our assessment of IAIP\xe2\x80\x99s speci\xef\xac\x81c comments, none of\n               the recommendations have been fully implemented, and therefore, the conditions\n               noted in the report continue to exist. IAIP\xe2\x80\x99s response is summarized and\n               evaluated in the body of this report and included, in its entirety, as Appendix B.\n\nBackground\n               Critical infrastructures, economy, and national security in the United States\n               are dependent on IT and telecommunications systems. The consequences of\n               a cyber attack on our critical information networks and infrastructures, which\n               are composed of public and private institutions in many different sectors under\n               the guidance of federal lead departments and agencies (illustrated in Figure 1\n               below), can have a signi\xef\xac\x81cant negative effect on the United States. The resulting\n               widespread disruption of essential services after a cyber attack could delay the\n               noti\xef\xac\x81cation of emergency services, damage our economy, and put public safety at\n               risk.\n\n\n\n\n             Progress and Challenges in Securing the Nation\xe2\x80\x99s Cyberspace                       Page 5\n\x0c           Figure 1\n                                                          Critical Infrastructure Lead Agencies\n\n                                            Lead Agencies                                                Sectors\n                                                                                 Agriculture\n                               Department of Agriculture\n                                                                                 Food (meat, poultry, and egg products)\n                               Department of Defense                             Defense Industrial Base\n                               Department of Energy                              Energy\n                                                                                 Public Health\n                               Department of Health and Human\n                                                                                 Healthcare\n                               Services\n                                                                                 Food (except meat, poultry, and egg products)\n                                                                                 Information Technology\n                                                                                 Telecommunications\n                                                                                 Chemical\n                               Department of Homeland Security\n                                                                                 Transportation Systems\n                                                                                 Postal and Shipping\n                                                                                 Emergency Services\n                               Department of the Interior                        National Monuments and Icons\n                               Department of the Treasury                        Banking and Finance\n                                                                                 Drinking Water\n                               Environmental Protection Agency\n                                                                                 Water Treatment Systems\n\n                              In response to the September 11, 2001, terrorist attacks, The National Strategy for\n                              Homeland Security6 was developed to mobilize and organize national homeland\n                              security functions to secure the United States from future attacks. The National\n                              Strategy for Homeland Security organizes homeland security functions into six\n                              critical mission areas, including protecting critical infrastructure and key assets.\n                              Eight major initiatives come under the area of protecting critical infrastructure and\n                              key assets, including the need to secure cyberspace.\n\n                              As the \xef\xac\x81rst step in the long-term effort to secure the nation\xe2\x80\x99s information\n                              infrastructure and to provide a framework for protecting cyberspace,7 the White\n                              House issued The National Strategy to Secure Cyberspace in February 2003.\n                              This blueprint is an integral part of DHS\xe2\x80\x99 overall mission to protect the nation\xe2\x80\x99s\n                              information systems. It highlights actions and recommendations that the federal\n\n\n6\n  The White House issued The National Strategy for Homeland Security in July 2002.\n7\n  For the purposes of this audit, cyberspace refers to the interconnected information systems and networks that comprise the Nation\xe2\x80\x99s\ninfrastructure.\n\n\nPage 6                                         Progress and Challenges in Securing the Nation\xe2\x80\x99s Cyberspace\n\x0c                             government and the private sector should take to address the nation\xe2\x80\x99s \xef\xac\x81ve\n                             cyberspace priorities:\n\n                                  \xe2\x80\xa2     Priority I - A National Cyberspace Security Response System\n\n                                  \xe2\x80\xa2     Priority II - A National Cyberspace Security Threat and Vulnerability\n                                        Reduction Program\n\n                                  \xe2\x80\xa2     Priority III - A National Cyberspace Security Awareness and Training\n                                        Program\n\n                                  \xe2\x80\xa2     Priority IV - Securing Governments\xe2\x80\x99 Cyberspace\n\n                                  \xe2\x80\xa2     Priority V - National Security and International Cyberspace Security\n                                        Cooperation\n\n                             DHS plays a central role in executing The National Strategy to Secure\n                             Cyberspace. In addition to implementing the actions directly assigned to it,\n                             DHS serves as the primary point of contact for the public and private sectors on\n                             issues related to cyberspace security. In cooperation with the White House, DHS\n                             coordinates and supports implementation of non-federal tasks, such as getting\n                             home users and small businesses to secure their connections to cyberspace.\n\n                             Due to the signi\xef\xac\x81cance of cyber threats to the nation, the security of cyber\n                             systems is one of the highest priorities within DHS. In March 2003, DHS merged\n                             several organizational components, which it had inherited, and combined them\n                             under its newly formed Information Analysis and Infrastructure Protection (IAIP)\n                             Directorate.8 IAIP has the responsibility to: (1) identify and assess a broad\n                             range of intelligence information concerning current and future threats against\n                             the United States; (2) map identi\xef\xac\x81ed threats against nationwide vulnerabilities;\n                             (3) issue timely warnings and advisories for the full spectrum of terrorist threats\n                             against the homeland, including physical and cyber events; (4) take appropriate\n                             preventive or protective actions to mitigate identi\xef\xac\x81ed risks and assist in response\n                             and recovery efforts; and, (5) carry out comprehensive assessments of the\n                             vulnerabilities of the key resources and critical infrastructure of the United States.\n\n\n\n\n8\n  The following organizational components were brought together to form DHS\xe2\x80\x99 IAIP Directorate: Critical Infrastructure Assurance Of\xef\xac\x81ce,\nFederal Computer Incident Response Center (FedCIRC), National Communications System, National Infrastructure Protection Center, and\nNational Infrastructure Simulation and Analysis Center and Energy Security and Assurance Program.\n\n\n                          Progress and Challenges in Securing the Nation\xe2\x80\x99s Cyberspace                                          Page 7\n\x0c                              IAIP created NCSD in June 2003 to implement the actions and recommendations\n                              described in The National Strategy to Secure Cyberspace, as well as to be\n                              the national focal point to address cyber security issues in the United States.\n                              Its mission includes: (1) identifying, analyzing, and reducing cyber threats\n                              and vulnerabilities; (2) disseminating cyber threat warning information; (3)\n                              coordinating cyber incident response; and, (4) providing technical assistance in\n                              continuity of operations and recovery from cyber incidents.\n\nDHS Is Making Progress\n                              With the creation of NCSD, DHS raised the nation\xe2\x80\x99s awareness of the possibility\n                              of cyber terrorist attacks and the need to protect critical infrastructures from\n                              such attacks. NCSD has undertaken several initiatives to address the actions and\n                              recommendations in The National Strategy to Secure Cyberspace, including:\n\n                                    \xe2\x80\xa2    Creation of US-CERT.9 In partnership with CERT\xc2\xae/CC at Carnegie\n                                         Mellon University, US-CERT serves as the national focal and\n                                         coordination point for computer security efforts. US-CERT is\n                                         charged with analyzing and reducing cyber threats and vulnerabilities;\n                                         disseminating cyber threat warning information; and, coordinating\n                                         incident response. The creation of US-CERT satis\xef\xac\x81es the \xef\xac\x81rst\n                                         recommendation associated with Priority I in The National Strategy to\n                                         Secure Cyberspace. Priority I calls for the creation of a single point of\n                                         contact for the federal government\xe2\x80\x99s interaction with industry and other\n                                         partners for continual functions, including cyberspace analysis, warning,\n                                         information sharing, major incident response, and national recovery\n                                         efforts.\n\n                                    \xe2\x80\xa2    Implementation of the National Cyber Alert System.10 This alert system\n                                         is the nation\xe2\x80\x99s \xef\xac\x81rst cohesive cyber security system to identify, analyze,\n                                         and prioritize emerging vulnerabilities and threats. Through security\n                                         alerts, tips, and bulletins, the system disseminates information on cyber\n                                         security issues and provides free computer security update and warnings\n                                         to all computer users who sign up on US-CERT\xe2\x80\x99s web site.11 Cyber\n                                         security alerts are issued when vulnerabilities are identi\xef\xac\x81ed or exploited.\n                                         Bi-weekly cyber security tips provide information on best computer\n\n9\n  US-CERT was created in September 2003.\n10\n   The National Cyber Security Alert System was implemented in January 2004.\n11\n   As of February 9, 2004, over 250,000 users have subscribed to the system. Also, as of March 24, 2004, 6 cyber alerts, 5 security tips and\n5 security bulletins have been issued.\n\n\n\nPage 8                                         Progress and Challenges in Securing the Nation\xe2\x80\x99s Cyberspace\n\x0c                                        security practices, as well as \xe2\x80\x9chow-to\xe2\x80\x9d information, for all users in\n                                        both a technical and non-technical format. Security bulletins, also bi-\n                                        weekly, provide summaries about security issues, noti\xef\xac\x81cation of new\n                                        vulnerabilities, potential impact, and actions required to mitigate risk.\n                                        With the implementation of the National Cyber Alert System, NCSD\n                                        addresses recommendations that fall under Priority III in The National\n                                        Strategy to Secure Cyberspace.\n\n                                   \xe2\x80\xa2    Participation in Dartmouth College\xe2\x80\x99s cyber focused communications and\n                                        coordination exercise (LiveWire). Conducted in October 2003, LiveWire\n                                        was a large scale exercise designed to test the coordination of private and\n                                        public sector incident management, response, and recovery capabilities.\n                                        The results of the exercise are being used as a foundation for DHS\xe2\x80\x99\n                                        response capabilities to a cyber attack, and to plan for LiveWire II,\n                                        which began in February 2004. As recommended under Priority I in The\n                                        National Strategy to Secure Cyberspace, DHS uses exercises to evaluate\n                                        the impact of cyber attacks on government-wide processes and to test the\n                                        coordination of public and private sector incident management, response,\n                                        and recovery capabilities.\n\n                                   \xe2\x80\xa2    Hosting the National Cyber Security Summit.12 This summit was\n                                        designed to strengthen partnerships between NCSD and the private\n                                        sector, and focused on addressing key security issues facing the United\n                                        States. Five private sector task forces were formed during the summit:\n                                        Awareness for Home Users and Small Businesses; Cyber Security Early\n                                        Warning, Best Practices and Standards; Corporate Governance, Best\n                                        Practices and Standards; Technical Standards and Common Criteria;\n                                        and Security Across the Software Development Life Cycle: Secure\n                                        Software. These task forces will recommend strategies to address the\n                                        national cyberspace priorities outlined in The National Strategy to Secure\n                                        Cyberspace.\n\n                                   \xe2\x80\xa2    Establishment of three new organizations to strengthen federal IT\n                                        defenses, coordinate responses to systems threats, and improve\n                                        information sharing. Facilitated by NCSD, the three organizations\n                                        - GFIRST, Federal CISO Forum, and Cyber IIMG - are composed\n                                        of management of\xef\xac\x81cials from the federal government. GFIRST\n                                        was established to share operational incident response data, tools,\n\n\n12\n     The National Cyber Security Summit was hosted by NCSD in December 2003.\n\n\n                           Progress and Challenges in Securing the Nation\xe2\x80\x99s Cyberspace                        Page 9\n\x0c                       technologies, and techniques between security practitioners across the\n                       federal government. The Federal CISO Forum was launched to provide\n                       a trusted environment for agencies to share positive and negative\n                       experiences with technology and applications. Through the Cyber\n                       IIMG, NCSD formed a group to address cyber attack attribution issues,\n                       as well as a working group to discuss threat scenarios and mitigation\n                       tactics and techniques. As recommended under Priority I in The National\n                       Strategy to Secure Cyberspace, these organizations will work together\n                       to remove impediments to information sharing about cyber security and\n                       infrastructure vulnerabilities within the federal government.\n\n              In addition, NCSD is establishing programs with the National Science\n              Foundation, the National Security Agency, and other federal agencies to educate,\n              train, and certify students and professionals on information assurance and cyber\n              security. NCSD plans to launch a US-CERT cyber exchange partnership program\n              during 2004. This program will provide public and private organizations active\n              in cyber security watch, warning, and response activities with a trusted forum to\n              exchange and coordinate information and events. Also, NCSD is participating\n              in international forums to promote the international aspects of protecting critical\n              infrastructures from cyber terrorism. These activities directly address priorities\n              established in The National Strategy to Secure Cyberspace.\n\nChallenges Remain In Developing a U.S. Cyber Protection Program\n              Despite the progress made, DHS faces signi\xef\xac\x81cant challenges in developing\n              and implementing a program to protect our national cyber infrastructure. DHS\n              has experienced delays in establishing its structure, which includes de\xef\xac\x81ning its\n              budget and staf\xef\xac\x81ng requirements, and faces a number of additional challenges\n              in instituting the enhanced cyber threat analysis organization that is needed to\n              address long-term threats and vulnerabilities to the nation\xe2\x80\x99s critical infrastructure.\n\n              Prioritize Initiatives and Establish Milestones\n\n              NCSD has not prioritized its initiatives or established individual milestones and\n              benchmarks. There is little assurance that NCSD can successfully address the\n              actions and recommendations in The National Strategy to Secure Cyberspace\n              in a timely manner if milestones are not established. Milestones are needed to\n              monitor the implementation of the actions and recommendations. Additionally,\n              NCSD cannot substantiate its budget and staf\xef\xac\x81ng needs, validate its organizational\n              structure, develop performance measures, or coordinate and oversee efforts to\n\n\nPage 10                    Progress and Challenges in Securing the Nation\xe2\x80\x99s Cyberspace\n\x0c                               mitigate long-term cyber security vulnerabilities and threats if these initiatives are\n                               not prioritized.\n\n                               Because its goals and initiatives have not yet been prioritized, NCSD\xe2\x80\x99s branch\n                               chiefs assign staff to so-called mission critical tasks and activities, without of\xef\xac\x81cial\n                               input or oversight from management. The director of NCSD, who did not report\n                               to DHS until mid-October 2003, \xef\xac\x81rst began conducting weekly staff meetings to\n                               discuss priorities in February 2004.\n\n                               Resource Requirements Identi\xef\xac\x81cation\n\n                               NCSD has not identi\xef\xac\x81ed its long-term budget or resource requirements based\n                               on the priorities that must be established to carry out its mission. During a four\n                               month period, NCSD drafted three different organizational structures. Each was\n                               a re\xef\xac\x81nement that permitted NCSD to align its areas of focus with its available\n                               resources and tasks. The \xef\xac\x81nalization of its organizational structure is necessary\n                               for NCSD to establish its long-term budget and staf\xef\xac\x81ng requirements, develop\n                               strategic plans, implement performance measures, and oversee efforts to address\n                               the recommendations in The National Strategy to Secure Cyberspace.\n\n                               IAIP provided NCSD with a budget of $78.85 million and 29 full-time equivalent\n                               (FTE) staff for \xef\xac\x81scal year 2004. NCSD also relies heavily on contractors to\n                               address many of its initiatives and tasks. According to NCSD management\n                               of\xef\xac\x81cials, additional resources will be needed as the division\xe2\x80\x99s priorities and\n                               structure become better de\xef\xac\x81ned. As of February 23, 2004, NCSD had a staff of 84\n                               (21 FTEs and 63 contractors).\n\n                               NCSD has estimated that a staff of 112 (45 FTEs and 67 contractors), and a\n                               proposed budget of $79.62 million will be needed to accomplish the goals IAIP\n                               has proposed for FY 2004.13 Though NCSD\xe2\x80\x99s 2004 estimates are not based on\n                               the division\xe2\x80\x99s priorities or initiatives, efforts are under way to justify staf\xef\xac\x81ng\n                               and budget increases based on the priorities established in The National Strategy\n                               to Secure Cyberspace, such as the assessment of threats and vulnerabilities to\n                               federal cyber systems. Remediation plans then can be developed to secure the\n                               government\xe2\x80\x99s cyberspace.\n\n\n\n\n13\n     See Figure 2 for NCSD\xe2\x80\x99s proposed staf\xef\xac\x81ng and budget as of February 23, 2004.\n\n\n                            Progress and Challenges in Securing the Nation\xe2\x80\x99s Cyberspace                       Page 11\n\x0c          Figure 2\n\n                        NCSD Organization (as of February 23, 2004)\n\n\n\n\n          Strategic Plans and Performance Measures\n\n          NCSD has not developed a strategic plan, with speci\xef\xac\x81c goals, objectives, and\n          milestones, to implement its initiatives and to ensure that processes coincide\n          with the national priorities and recommendations in The National Strategy to\n          Secure Cyberspace. An approved strategic implementation plan helps ensure\n          that processes are established and that NCSD is focusing on the critical tasks\n          necessary to secure the nation\xe2\x80\x99s critical cyber infrastructure. Additionally,\n          performance measures are needed to allow management to assess NCSD\xe2\x80\x99s\n          progress in addressing priorities and attaining strategic goals and milestones.\n          NCSD cannot track in an ef\xef\xac\x81cient and effective manner its or other public and\n          private organizations\xe2\x80\x99 progress in implementing The National Strategy to Secure\n          Cyberspace if performance measures are not developed and monitored.\n\n          Only one branch within NCSD, Vulnerability Analysis, has drafted a plan\n          formally to document its strategic and performance goals and objectives. The\n\n\n\nPage 12               Progress and Challenges in Securing the Nation\xe2\x80\x99s Cyberspace\n\x0c  plan, however, has not been reviewed or approved by NCSD management.\n  NCSD needs to ensure that each branch develops and implements strategic plans\n  and processes that are focused on the priorities and processes that will enable it\n  to accomplish its mission. In addition, the performance measures that will be\n  used to evaluate NCSD\xe2\x80\x99s progress in building an effective organization capable of\n  mitigating long-term cyber threats and vulnerabilities should be addressed within\n  each branch\xe2\x80\x99s strategic plan.\n\n  In February 2002, the Of\xef\xac\x81ce of Management and Budget reported to Congress\n  that the lack of performance measures was one of six common government-\n  wide security weaknesses. As documented in The National Strategy to Secure\n  Cyberspace, each federal department and agency will be accountable for\n  its performance on cyber security efforts and be responsible for employing\n  performance measures to evaluate progress in implementing the recommendations\n  in The National Strategy to Secure Cyberspace. Also, the performance measures\n  utilized should allow agencies to make resource allocation decisions and adjust\n  priorities accordingly.\n\n  Improve Formal Communications\n\n  NCSD has not instituted a formal communications process within DHS, or\n  within the government, private, intelligence, or international communities. In\n  addition, NCSD has not determined how best to communicate US-CERT\xe2\x80\x99s\n  mission, roles, and responsibilities to its partners. The communications process is\n  critical to ensuring that the assistance DHS is providing to secure cyber systems\n  and infrastructures will be utilized by the public and private sectors, and to\n  encouraging the sharing of critical cyber threat and vulnerability information.\n  This includes any pertinent intelligence information, so that NCSD has the\n  information it needs to accomplish its mission. Priority I of The National\n  Strategy to Secure Cyberspace calls for DHS to raise awareness and remove\n  impediments to information sharing regarding cyber security and infrastructure\n  vulnerabilities between the public and private sectors, too. DHS cannot address\n  this recommendation effectively without a formal communications process.\n\n  NCSD and the Homeland Security Operations Center (HSOC) communicate\n  and share cyber threat information on a daily basis. This process is an effective\n  way to ensure that NCSD receives all cyber-related threat information that\n  comes into HSOC. NCSD communicates with DHS\xe2\x80\x99 Chief Information Security\n  Of\xef\xac\x81cer (CISO) and other federal agencies, too, including the intelligence and law\n  enforcement communities on a regular basis. Many of these communications,\n\n\n\nProgress and Challenges in Securing the Nation\xe2\x80\x99s Cyberspace                   Page 13\n\x0c          however, are on an ad hoc basis, relying on personal relationships NCSD\n          personnel have developed with people over the years. The reliance on personal\n          relationships for key communications is risky and could result in NCSD\xe2\x80\x99s not\n          receiving or sharing critical cyber security information if those contacts are not\n          available or if the person initiating the contact no longer works for NCSD or\n          DHS.\n\n          In interviews with government and private sector partners, we learned that\n          NCSD\xe2\x80\x99s mission, structure, and roles and responsibilities are not adequately\n          communicated to its partners in the public and private sectors. Several partners\n          interviewed suggested that the government\xe2\x80\x99s communication mechanisms need to\n          be improved, e.g., use of advertising has not been used to reach the public at large.\n\n          Effectively Oversee and Provide Guidance\n\n          NCSD has not developed a formal process to oversee or provide guidance on\n          cyberspace security issues to DHS, other federal, state, and local governments,\n          and the private sector. According to NCSD management of\xef\xac\x81cials, oversight\n          responsibilities were not formally established or speci\xef\xac\x81cally addressed with the\n          creation of the division.\n\n          The National Strategy to Secure Cyberspace is but a \xef\xac\x81rst step in a long-term\n          effort to secure the nation\xe2\x80\x99s information infrastructure. The federal government\n          is to continue broad partnerships in the public and private sectors to develop,\n          implement, and re\xef\xac\x81ne The National Strategy to Secure Cyberspace. DHS\n          has been assigned the central role in its implementation. It is responsible for\n          overseeing federal department and agency plans and programs to execute\n          the initiatives assigned; coordinating and supporting the implementation of\n          recommended non-federal tasks; providing the guidance to address the tasks\n          assigned; and, periodically re\xef\xac\x81ning The National Strategy to Secure Cyberspace.\n\n          Through its Outreach Branch, NCSD is coordinating with other government\n          agencies and private sector organizations; multi-state, IT, and sector Information\n          Sharing and Analysis Centers; and DHS\xe2\x80\x99 Of\xef\xac\x81ce of the Chief Information Of\xef\xac\x81cer\n          on critical infrastructure protection issues. It is not, however, actively overseeing\n          the performance of those entities. Meanwhile, NCSD is relying on the National\n          Institute of Standards and Technology to establish guidance for cyber security.\n          Effective oversight and guidance by DHS is needed to ensure that that all federal,\n          state, and local government agencies, as well as the private sector, are properly\n          securing their own critical infrastructures.\n\n\n\nPage 14                Progress and Challenges in Securing the Nation\xe2\x80\x99s Cyberspace\n\x0cRecommendations\n             We recommend that the Under Secretary for IAIP direct the Assistant Secretary\n             for Infrastructure Protection:\n\n             Recommendation #1:\n\n             Prioritize NCSD\xe2\x80\x99s initiatives and establish milestones based on the funding\n             available. A plan for ensuring the completion of priorities needs to be developed\n             and tied to speci\xef\xac\x81c milestone completion dates.\n\n             Recommendation #2:\n\n             Finalize NCSD\xe2\x80\x99s organizational structure, with supporting budget and staf\xef\xac\x81ng\n             levels for each branch. To do this, NCSD should obtain IAIP management\xe2\x80\x99s\n             approval of the budget and resources needed to carry out its mission and\n             implement The National Strategy to Secure Cyberspace. Approved budget\n             resources and staf\xef\xac\x81ng can then be allocated to each branch.\n\n             Recommendation #3:\n\n             Ensure that NCSD and each branch develop strategic implementation plans\n             identifying milestones and completion dates that coincide with the division\xe2\x80\x99s\n             priorities, the roles and responsibilities of its staff, and the tasks needed to\n             implement The National Strategy to Secure Cyberspace. Management should\n             approve these plans and use them to monitor and evaluate NCSD\xe2\x80\x99s progress in\n             accomplishing its initiatives, priorities, and tasks.\n\n             Recommendation #4:\n\n             Develop performance measures that can be used to determine the progress DHS\n             and all other responsible organizations (public and private sector) are making in\n             addressing the actions and recommendations in The National Strategy to Secure\n             Cyberspace. The performance measures should be reviewed periodically to\n             ensure that they are being met.\n\n             Recommendation #5:\n\n             De\xef\xac\x81ne and communicate the roles and responsibilities of the division, its\n             branches, and its staff. Develop a plan to improve NCSD\xe2\x80\x99s communications\n\n\n           Progress and Challenges in Securing the Nation\xe2\x80\x99s Cyberspace                     Page 15\n\x0c             with its public and private sector partners, including home users, on its structure,\n             mission, and roles as well as responsibilities regarding cyber security awareness\n             and protection.\n\n             Recommendation #6:\n\n             Develop and document a process to communicate and share information obtained\n             on cyber vulnerabilities, threats, and incidents with key federal, state and local\n             government intelligence and law enforcement agencies.\n\n             Recommendation #7:\n\n             Initiate and implement a process to oversee DHS and other federal, state, and\n             local government efforts to protect their respective critical infrastructures from\n             cyber vulnerabilities and threats.\n\n             Recommendation #8:\n\n             Develop and issue necessary guidance and directives on protecting critical\n             infrastructures from cyber vulnerabilities and threats and improving security.\n\n             Recommendation #9:\n\n             Review and re\xef\xac\x81ne periodically the actions and recommendations in The National\n             Strategy to Secure Cyberspace.\n\nManagement Comments and OIG Evaluation\n             We obtained written comments (Appendix B) on a draft of this report from\n             IAIP. Generally, IAIP agreed with the report\xe2\x80\x99s \xef\xac\x81ndings and recommendations\n             and said that signi\xef\xac\x81cant advancements in addressing all of the recommendations\n             have been made. However, IAIP also said that some of our recommendations\n             have been rendered obsolete or overcome by new circumstances. Based on our\n             assessment of IAIP\xe2\x80\x99s speci\xef\xac\x81c comments, none of the recommendations have been\n             fully implemented, and therefore, the conditions noted in the report continue to\n             exist. Below is a summary of IAIP\xe2\x80\x99s response to each recommendation and our\n             assessment of the response.\n\n\n\n\nPage 16                   Progress and Challenges in Securing the Nation\xe2\x80\x99s Cyberspace\n\x0c  Recommendation #1: Prioritize NCSD\xe2\x80\x99s initiatives and establish milestones\n  based on the funding available. A plan for ensuring the completion of\n  priorities needs to be developed and tied to speci\xef\xac\x81c milestone completion\n  dates.\n\n  IAIP agreed that the formulation of milestones is an important step to achieve\n  results and to execute a plan. In March and early April 2004, NCSD created\n  detailed internal milestones, including completion dates and priorities. This\n  information was tied to budget \xef\xac\x81gures and submitted to the United States House\n  of Representatives Select Committee on Homeland Security in May 2004.\n  Correspondingly, each branch within NCSD has been engaged in updating their\n  respective milestones and in correlating those milestones to manpower needs and\n  funding requirements for \xef\xac\x81scal years 2004, 2005, and 2006.\n\n  We accept IAIP\xe2\x80\x99s response that milestones have been established based on\n  funding available. NCSD still needs to develop a plan to ensure that milestones\n  are prioritized and the timelines for completing milestones are being met. NCSD\n  should provide us with a copy of the plan.\n\n  Recommendation #2: Finalize NCSD\xe2\x80\x99s organizational structure, with\n  supporting budget and staf\xef\xac\x81ng levels for each branch. To do this, NCSD\n  should obtain IAIP management\xe2\x80\x99s approval of the budget and resources\n  needed to carry out its mission and implement The National Strategy to\n  Secure Cyberspace. Approved budget resources and staf\xef\xac\x81ng can then be\n  allocated to each branch.\n\n  IAIP agreed with our recommendation. On March 18, 2004, NCSD \xef\xac\x81nalized\n  and implemented the division\xe2\x80\x99s organizational structure. NCSD will continually\n  assess its organizational structure for operational ef\xef\xac\x81ciency and expects to release\n  a revised version of the organizational structure in the third quarter of 2004.\n  An initial budget and staf\xef\xac\x81ng plan has also been developed, and the current\n  budget justi\xef\xac\x81cation cycle is being utilized to re\xef\xac\x81ne and to accurately re\xef\xac\x82ect the\n  organizational structure for the FY 2005 and FY 2006 budget submission.\n\n  We agree that the steps that NCSD has taken, and plans to take, satis\xef\xac\x81es this\n  recommendation.\n\n\n\n\nProgress and Challenges in Securing the Nation\xe2\x80\x99s Cyberspace                    Page 17\n\x0c          Recommendation #3: Ensure that NCSD and each branch develop strategic\n          implementation plans identifying milestones and completion dates that\n          coincide with the division\xe2\x80\x99s priorities, the roles and responsibilities of its\n          staff, and the tasks needed to implement The National Strategy to Secure\n          Cyberspace. Management should approve these plans and use them to\n          monitor and evaluate NCSD\xe2\x80\x99s progress in accomplishing its initiatives,\n          priorities, and tasks.\n\n          IAIP accepted and is implementing this recommendation.\n\n          We accept IAIP\xe2\x80\x99s response to our recommendation. NCSD should provide us\n          with speci\xef\xac\x81c dates when it expects their strategic implementation plans will be\n          completed and approved.\n\n          Recommendation #4: Develop performance measures that can be used\n          to determine the progress DHS and all other responsible organizations\n          (public and private sector) are making in addressing the actions and\n          recommendations in The National Strategy to Secure Cyberspace. The\n          performance measures should be reviewed periodically to ensure that they\n          are being met.\n\n          IAIP is currently working with each of the Department\xe2\x80\x99s directorates and divisions\n          to develop performance measures and metrics. NCSD agreed to work within the\n          framework of performance measures and metrics for the overall infrastructure\n          protection program. When complete, these performance measures and metrics\n          will provide a basis for continuous measurement and improvement across DHS.\n\n          We agree that NCSD has taken steps to address the intent of this recommendation.\n          NCSD should also develop performance measures for the public and private\n          sector organizations that are responsible for addressing the actions and\n          recommendations in The National Strategy to Secure Cyberspace. NCSD should\n          provide us with a copy of the performance measures and timeline for periodically\n          reviewing the performance measures to ensure that they are being met.\n\n          Recommendation #5: De\xef\xac\x81ne and communicate the roles and responsibilities\n          of the division, its branches, and its staff. Develop a plan to improve NCSD\xe2\x80\x99s\n          communications with its public and private sector partners, including home\n          users, on its structure, mission, and roles as well as responsibilities regarding\n          cyber security awareness and protection.\n\n\n\n\nPage 18               Progress and Challenges in Securing the Nation\xe2\x80\x99s Cyberspace\n\x0c  IAIP agreed and recognized the importance of de\xef\xac\x81ning and communicating the\n  roles and responsibilities of NCSD to its branches and staff. IAIP agreed that the\n  goal for increased public awareness of the roles and responsibilities of NCSD is\n  a critical component to accomplish its mission. NCSD designed the US-CERT,\n  launched the National Cyber Alert System, and has undertaken a number of\n  programs geared toward sharing information and developing working partnerships\n  with the public and private sectors. NCSD also has submitted a detailed\n  outreach plan for calendar year 2004 that outlines a public outreach campaign for\n  communications.\n\n  We agree that the steps NCSD has taken, and plans to take, satisfy the intent of\n  this recommendation. NCSD should provide us with a copy of the outreach plan.\n\n  Recommendation #6: Develop and document a process to communicate\n  and share information obtained on cyber vulnerabilities, threats, and\n  incidents with key federal, state and local government intelligence, and law\n  enforcement agencies.\n\n  IAIP agreed with our recommendation. NCSD is reviewing draft standard\n  operating procedures on how its operations group handles, assesses, and\n  coordinates emerging cyber related events. These procedures will continually\n  evolve and mature over time.\n\n  We agree that the steps NCSD has taken satisfy the intent of this recommendation.\n  NCSD should provide us with a copy of the approved standard operating\n  procedures.\n\n  Recommendation #7: Initiate and implement a process to oversee DHS and\n  other federal, state, and local government efforts to protect their respective\n  critical infrastructures from cyber vulnerabilities and threats.\n\n  IAIP accepted this recommendation and has active programs already being\n  implemented to address the recommendation.\n\n  We accept IAIP\xe2\x80\x99s response. NCSD should create a timeline to track the\n  implementation of these active programs.\n\n  Recommendation #8: Develop and issue necessary guidance and directives on\n  protecting critical infrastructures from cyber vulnerabilities and threats and\n  improving security.\n\n\n\nProgress and Challenges in Securing the Nation\xe2\x80\x99s Cyberspace                 Page 19\n\x0c          IAIP agreed with our recommendation. NCSD has issued guidance on protecting\n          critical infrastructures from cyber threats and on the general improvement of\n          security.\n\n          We accept IAIP\xe2\x80\x99s response. NCSD should create a timeline for issuing directives\n          on protecting critical infrastructures for both the public and private sectors.\n\n          Recommendation #9: Review and re\xef\xac\x81ne periodically the actions and\n          recommendations in The National Strategy to Secure Cyberspace.\n\n          IAIP agreed with the intent of this recommendation. NCSD monitors many of its\n          initiatives, and will improve its evaluation and analysis process, in the context of\n          the actions and recommendations in The National Strategy to Secure Cyberspace,\n          as well as the other strategic documents.\n\n          We agree that the steps NCSD has taken, and plans to take, satis\xef\xac\x81es the intent of\n          this recommendation.\n\n\n\n\nPage 20                Progress and Challenges in Securing the Nation\xe2\x80\x99s Cyberspace\n\x0c                                                                       Appendix A\n                                                                       Purpose, Scope, and Methodology\n\n\n\nPurpose, Scope, and Methodology\n               The objective of our audit was to determine whether DHS\xe2\x80\x99 efforts to protect the\n               nation\xe2\x80\x99s critical infrastructure from a major cyber terrorist attack are adequate\n               and effective. Our audit focused on NCSD, within DHS\xe2\x80\x99 IAIP directorate. We\n               determined whether: (1) NCSD\xe2\x80\x99s organizational structure was established to\n               ful\xef\xac\x81ll its assigned roles and responsibilities; (2) NCSD has developed effective\n               implementation plans; and, (3) NCSD is performing its oversight responsibilities\n               as outlined in The National Strategy to Secure Cyberspace.\n\n               We conducted our audit between December 2003 and February 2004 under the\n               authority of the Inspector General Act of 1978, as amended, and according to\n               generally accepted government auditing standards. To ful\xef\xac\x81ll our audit objective,\n               we interviewed IAIP of\xef\xac\x81cials; NCSD\xe2\x80\x99s Director, Deputy Directors, branch\n               chiefs and staff; and other federal and non-government of\xef\xac\x81cials who work in\n               coordination with NCSD. We reviewed The National Strategy for Homeland\n               Security, the Homeland Security Act of 2002, The National Strategy to Secure\n               Cyberspace, The National Strategy for the Physical Protection of Critical\n               Infrastructures and Key Assets, and Homeland Security Presidential Directive\n               7. We used these documents as criteria for DHS\xe2\x80\x99 roles and responsibilities\n               in identifying, preventing, responding to, and recovering from cyber attacks.\n               Also, we reviewed documentation pertaining to IAIP and NCSD, including\n               presentations, press releases, congressional testimony, organizational charts,\n               websites, and various news articles. In addition, we assessed NCSD\xe2\x80\x99s progress\n               in implementing the actions and recommendations from The National Strategy to\n               Secure Cyberspace.\n\n               The principal OIG points of contact for the audit are Frank Deffer, Assistant\n               Inspector General for Information Technology, (202) 254-4100, and Edward\n               G. Coleman, Director, Information Security, (202) 254-5444. Major OIG\n               contributors to the audit are identi\xef\xac\x81ed in Appendix C.\n\n\n\n\n             Progress and Challenges in Securing the Nation\xe2\x80\x99s Cyberspace                        Page 21\n\x0cAppendix B\nManagement\xe2\x80\x99s Comments\n\n\n\n\nPage 22                 Progress and Challenges in Securing the Nation\xe2\x80\x99s Cyberspace\n\x0c                                                              Appendix B\n                                                              Management\xe2\x80\x99s Comments\n\n\n\n\nProgress and Challenges in Securing the Nation\xe2\x80\x99s Cyberspace                   Page 23\n\x0cAppendix B\nManagement\xe2\x80\x99s Comments\n\n\n\n\nPage 24                 Progress and Challenges in Securing the Nation\xe2\x80\x99s Cyberspace\n\x0c                                                              Appendix B\n                                                              Management\xe2\x80\x99s Comments\n\n\n\n\nProgress and Challenges in Securing the Nation\xe2\x80\x99s Cyberspace                   Page 25\n\x0cAppendix B\nManagement\xe2\x80\x99s Comments\n\n\n\n\nPage 26                 Progress and Challenges in Securing the Nation\xe2\x80\x99s Cyberspace\n\x0c                                                              Appendix B\n                                                              Management\xe2\x80\x99s Comments\n\n\n\n\nProgress and Challenges in Securing the Nation\xe2\x80\x99s Cyberspace                   Page 27\n\x0cAppendix C\nMajor Contributors to This Report\n\n\n\n                     Of\xef\xac\x81ce of Information Technology\n                     Information Security Audits Division\n\n                     Edward G. Coleman, Director\n                     Barbara Bartuska, Audit Manager\n                     Jeff Arman, Audit Manager\n                     Chelsea Pickens, Senior IT Auditor\n                     Foxhall Parker, IT Auditor\n                     Meghan Sanborn, Referencer\n\n\n\n\nPage 28                             Progress and Challenges in Securing the Nation\xe2\x80\x99s Cyberspace\n\x0c                                                              Appendix D\n                                                              Report Distribution\n\n\n\n  Department of Homeland Security\n\n  Secretary\n  Deputy Secretary\n  Chief of Staff\n  General Counsel\n  DHS OIG Liaison\n  DHS Public Affairs\n\n  Of\xef\xac\x81ce of Management and Budget\n\n  Chief, Homeland Security Branch\n  DHS OIG Budget Examiner\n\n  Congress\n\n  Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\nProgress and Challenges in Securing the Nation\xe2\x80\x99s Cyberspace               Page 29\n\x0cPage 30   Progress and Challenges in Securing the Nation\xe2\x80\x99s Cyberspace\n\x0c\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Of\xef\xac\x81ce of Inspector General (OIG)\nat (202) 254-4100, fax your request to (202) 254-4285, or visit the OIG web site at\nwww.dhs.gov/oig.\n\nOIG Hotline\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal\nor noncriminal misconduct relative to department programs or operations, call the OIG\nHotline at 1-800-323-8603; write to Department of Homeland Security, Washington, DC\n20528, Attn: Of\xef\xac\x81ce of Inspector General, Investigations Division \xe2\x80\x93 Hotline. The OIG\nseeks to protect the identity of each writer and caller.\n\x0c'